Curious phishing/rootkit modifies banking webpages in-line, requesting full password.

Discussion in 'malware problems & news' started by Carl Farrington, Apr 3, 2009.

Thread Status:
Not open for further replies.
  1. Carl Farrington

    Carl Farrington Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    57
    Location:
    Manchester, England, U.K.
    Curious one this. The infected computer works fine, however banking websites, which show the correct url and whose certificates appear fine, have an additional textbox asking for the full security phrase, instead of just various digits from the security phrase.
    I tried Lloyds, Rbsdigital.com and Hsbc personal banking, all showed these symptoms. DNS resolution of the sites appear correct.

    Has anybody seen this before? I have the files in a password protected 7z archive.


    Here's the analysis results for one of the .dlls, called through Run -> rundll32. Doesn't look good for detection rates.
    ~All Virus Total links removed per Policy.~


    Here are the results for twext.exe, which I've come across many times before. Called through Winlogon -> Userinit.
    ~Snip~

    c:\windows\system32\a.exe , doesn't appear to be called from anywhere that I've noticed yet, but obviously suspect filename and file date:
    ~Snip~

    c:\windows\system32\userinit32.exe , called via addition to Winlogon > Userinit, hidden from Windows API and only visable with icesword, but registry modification was re-creating itself after removal. File timestamp on this one is 2004-08-11 , same as most stock XP files.
    ~Snip~
    Microsoft Antivirus (whatever that is) misses this one.

    c:\windows\usebexuyiruburu.dll - can't remember where this was called from. Think it was HKCU -> Run, whereas others were HKLM -> Run
    ~Snip~
    Again Microsoft Antivirus does well while nearly all the other 38 antivirus programs fail.

    NOD doesn't find a thing.

    Is it time to switch to Microsoft Antivirus? o_O

    One of the staff at the client has convinced the infected chap that "Spybot would have found that", and that I should have run Spybot. (I take that to be Spybot S&D) :rolleyes: I used icesword, gmer, hijackthis and virustotal.com. He'll probably run Spybot S&D, find a couple of tracking cookies and tell me he told me so!

    I have nothing against Spybot S&D but it's long winded and unlikely to be of much use against rootkits and things that generally put themselves back in place as soon as they/their registry keys are removed.
     
    Last edited by a moderator: Apr 3, 2009
  2. Carl Farrington

    Carl Farrington Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    57
    Location:
    Manchester, England, U.K.
    I'm unable to edit the above post since it was moderated.
    The purpose of the virustotal links was to get across the mesage that on average nearly 92% of the tested antivirus packages do not detect these files, so instead I'll give the statistics for each file and the virus names that were given, but without naming any antivirus products.

    All stats are from VT.com:

    First .dll file, ijowavate.dll, recognised by 2/40 scanners (5%). Recognised as: "Trojan:Win32/Hiloti.gen!A" and "High Risk Fraudulent Security Program"

    twext.exe, not to be confused with twext.dll (legitimate WinXP file), recognised by 4/40 scanners (10%). Recognised as: "Gen:Trojan.Heur.Dropper.B0F7080808" and "VirTool:Win32/Obfuscator.ES" and "Email-Worm.Win32.Waledac.Gen (v)"

    a.exe, same file as twext.exe above.

    userinit32.exe, recognised by 5/39 scanners (12.82%). Recognised as:
    "TR/Dropper.Gen" and "Gen:Trojan.Heur.Dropper.41629D9D9D" and "Trojan.Win32.Nodef.fga"

    usebexuyiruburu.dll, recognised by 2/40 scanners (5%). Recognised as:
    "Suspicious File" and "Trojan:Win32/Hiloti.gen!A" (same as first file, but different MD5 hash and only one product recognised it as the same thing).
     
  3. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Is Microsoft Antivirus an infector or a deinfector?
     
  4. Carl Farrington

    Carl Farrington Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    57
    Location:
    Manchester, England, U.K.
    Is it not alarming to people how this is apparently modifying banking pages in-line ? It's got me concerned!
     
  5. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    My point is, This Product doesn't exist as a valid tool in name.
    Microsoft Antivirus and Win Antivirus were/are malware, no?

    After discovering the sleight, How did you determine what files were a threat?
     
  6. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Not to throw fuel on the fire, but have you been using Ultrasurf ?
     
  7. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,979
    Location:
    U.S.A.
    Searching_ _ _, the Microsoft engine that VirusTotal uses is actually Windows Defender. VT just states Microsoft under AVs.

    @Carl Farrington,
    Malwarebytes Anti-Malware would eradicate Trojan.Hiloti, Trojan.Waledac and Trojan.Dropper. Because of the severe infection, the MBAM scan probably needs to run in Safe Mode.

    I don't think too many Wilders members would be alarmed at the sight of these Trojans when most of us have seen far worse.
     
  8. Carl Farrington

    Carl Farrington Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    57
    Location:
    Manchester, England, U.K.
    Kind of figured that it would be Onecare or whatever MIcrosoft currently offers.

    I determined they were a threat due to how they were called, e.g. additions to Userinit under Winlogon, HKLM...>RUN>"asedalsedakl" (random characters etc.), and the fact that they were hidden from the Windows API, and the fact that both the symptoms disappeared after their removal, and the re-instigation of the bad registry keys stopped happening after others were removed.
     
  9. Carl Farrington

    Carl Farrington Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    57
    Location:
    Manchester, England, U.K.
    It was a customer's computer, but I'm fairly sure the answer is no.
     
    Last edited: Apr 4, 2009
Loading...
Thread Status:
Not open for further replies.